BlueHat: Something Old, Something New, All Blue

Rank: Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes: Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes: Rudeness, socks-n-sandals, licorice

Reflecting on my past five years at Microsoft (I know! How time flies!), I can see with fresh perspective just how far we’ve come, while staying true to our goals of helping to protect customers and the computing ecosystem. I just recently returned from maternity leave and launched right into conference season with a bang, speaking at several conferences where I had the opportunity to hang out with old and new friends in the security researcher community. As Microsoft completes its tenth year of working with the broader security community as part of our Trustworthy Computing tenet, it’s a good time to look at how the relationship has developed so far.

Our on-campus BlueHat Briefings started back in 2005. At the time we had two key goals: to expose our own developers and technical contacts to smart researchers both inside and outside our very large company, and to give researchers a conduit to the developers and tech folk who might not yet appreciate the value of thinking like an attacker. As you might guess, at the beginning there was suspicion and maybe even a little fear on both sides, as researchers came to Redmond, and executives and product teams came out of their comfort zones, to talk honestly about security. But it worked, and others follow the model with similar conferences of their own now. And even as we prepare for the twelfth edition of the Briefings, it’s still great watching a researcher explain an issue directly to the developers responsible for writing the code to fix it.

Since then, the BlueHat Briefings have evolved into part of a larger strategy to play well within the community and improve the broader computing ecosystem. In addition to the Briefings, we provide direct financial sponsorship and support for other industry events around the world – this year, 20 or so conferences across 12 countries. Some improvements in relations with individual researchers have been simple, like establishing our bulletin acknowledgement policy and Online Services Acknowledgements policy to recognize researchers who report issues directly to us. We recognize individual talent in other ways, offering contracts for penetration testing of products in development – in fact, many of the current pen-testing contracts in effect at Microsoft right now were born from researchers that have shown their talents by reporting issues to MSRC. Sometimes, we’re able to hire this talent to Microsoft as well; we have great talent from the researcher community working here, and we’re always looking for more. And we don’t stop finding ways to work meaningfully with the community. This past summer, we awarded $260,000 to researchers as a part of the first-ever BlueHat Prize. This prize offers financial rewards to researchers to develop security defenses that can take out entire classes of attacks.

In seven weeks we will gather together at our 12th BlueHat Briefings here in Redmond and have this opportunity for the bidirectional exchange of ideas among people who are passionate about security, both inside and outside of Microsoft. We have gone from listening and learning from the community to being a true part of it. As the landscape has changed, we’ve evolved our response and engagements and will continue to do so.

Where does this working relationship with this community — and the future of security research — go over the next 10 years? We’ll focus on building cool products that the researcher community will inevitably help us secure, in their own way – by reporting issues to us via Coordinated Vulnerability Disclosure, by coming to educate and “exploitain” our developers and executives at the BlueHat Briefings, and by working for Microsoft and becoming part of our internal security community to help us defend over a billion computer systems worldwide. We’re excited to imagine what the next decade will look like and how we’ll work together, and I’m just as curious today about what is next in the cobra-mongoose battle between attackers and defenders as I was when I joined this company over five years ago.

Stay tuned for the speaker line-up as we move closer to the event. I look forward to welcoming the next members of our elite group – our BlueHat community – as we evolve and grow together.